Microsoft Windows Server Domain Role Detection

SMB-login based domain role detection with powershell fallback for Windows Server. SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescriptio...

CLEANSTART-2026-BZ28794 Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service

Multiple security vulnerabilities affect the aws-load-balancer-controller package. Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. See references for...

SUSE CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the /SyncPlay/New endpoint. An attacker can exhaust system memory and disrupt service availability by submitting excessively large SyncPlay group names in POST requests to the...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path in the POST /Videos/itemId/Subtitles endpoint due to insufficient validation of the Format field, which allows path traversal via the file extension and enables arbitrary file write. An attacker can...

Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access

Summary A Server-Side Request Forgery SSRF vulnerability in Kyverno's CEL HTTP library pkg/cel/libs/http/ allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. This enables unauthorized access to internal services in...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

EUVD-2026-22505

Out-of-bounds read in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally...

EUVD-2026-22445

Integer underflow wrap or wraparound in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally...

EUVD-2026-22301

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

EUVD-2026-22300

A Broken Object-Level Authorization BOLA in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request...

Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

GHSA-RM5F-3C25-P4CW Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

CVE-2026-32076 Windows Storage Spaces Controller Elevation of Privilege Vulnerability

...

CVE-2026-32076

CVE-2026-32076 describes an out-of-bounds read in the Windows Storage Spaces Controller that enables an authorized local attacker to elevate privileges. The vulnerability is tied to the Storage Spaces Controller component and is documented across multiple sources (NVD/NVD-affiliated listings, Red...

CVE-2026-32076 Windows Storage Spaces Controller Elevation of Privilege Vulnerability

...

CVE-2026-27907 Windows Storage Spaces Controller Elevation of Privilege Vulnerability

...

CVE-2026-27907

CVE-2026-27907 is a Windows Storage Spaces Controller elevation-of-privilege vulnerability caused by an integer underflow. Exploitation would require local access with low privileges. Publicly available sources confirm the issue and that Microsoft released fixes (e.g., KB5082060 for Windows Serve...

CVE-2026-27907 Windows Storage Spaces Controller Elevation of Privilege Vulnerability

...